passwd-sso-cli 0.4.3

package/dist/index.js

@@ -0,0 +1,298 @@
+#!/usr/bin/env node
+/**
+ * passwd-sso CLI — Password manager command-line interface.
+ *
+ * Long-lived process model: `unlock` enters a REPL loop where
+ * commands can be executed interactively. `lock` exits the process.
+ */
+import { Command } from "commander";
+import { createRequire } from "node:module";
+import { createInterface } from "node:readline";
+import { loginCommand } from "./commands/login.js";
+import { statusCommand } from "./commands/status.js";
+import { unlockCommand } from "./commands/unlock.js";
+import { listCommand } from "./commands/list.js";
+import { getCommand } from "./commands/get.js";
+import { generateCommand } from "./commands/generate.js";
+import { totpCommand } from "./commands/totp.js";
+import { exportCommand } from "./commands/export.js";
+import { envCommand } from "./commands/env.js";
+import { runCommand } from "./commands/run.js";
+import { apiKeyListCommand, apiKeyCreateCommand, apiKeyRevokeCommand } from "./commands/api-key.js";
+import { agentCommand } from "./commands/agent.js";
+import { decryptCommand } from "./commands/decrypt.js";
+import { isUnlocked, lockVault } from "./lib/vault-state.js";
+import { clearPendingClipboard } from "./lib/clipboard.js";
+import { setInsecure, clearTokenCache, startBackgroundRefresh, stopBackgroundRefresh } from "./lib/api-client.js";
+import * as output from "./lib/output.js";
+const require = createRequire(import.meta.url);
+const cliPkg = require("../package.json");
+const program = new Command();
+program
+    .name("passwd-sso")
+    .description("Password manager CLI")
+    .version(cliPkg.version)
+    .option("-k, --insecure", "Allow self-signed TLS certificates")
+    .hook("preAction", () => {
+    if (program.opts().insecure) {
+        setInsecure(true);
+    }
+});
+program
+    .command("login")
+    .description("Configure server URL and authentication token")
+    .action(loginCommand);
+program
+    .command("status")
+    .description("Show connection and vault status")
+    .option("--json", "Output as JSON")
+    .action((opts) => statusCommand({ json: opts.json }));
+program
+    .command("unlock")
+    .description("Unlock the vault with your master passphrase")
+    .action(async () => {
+    await unlockCommand();
+    if (isUnlocked()) {
+        await interactiveMode();
+    }
+});
+program
+    .command("generate")
+    .description("Generate a secure password")
+    .option("-l, --length <n>", "Password length", "20")
+    .option("--no-uppercase", "Exclude uppercase letters")
+    .option("--no-digits", "Exclude digits")
+    .option("--no-symbols", "Exclude symbols")
+    .option("-c, --copy", "Copy to clipboard")
+    .option("--json", "Output as JSON")
+    .action((opts) => generateCommand({
+    length: parseInt(opts.length, 10),
+    noUppercase: opts.uppercase === false,
+    noDigits: opts.digits === false,
+    noSymbols: opts.symbols === false,
+    copy: opts.copy,
+    json: opts.json,
+}));
+program
+    .command("env")
+    .description("Output vault secrets as environment variables")
+    .option("-c, --config <path>", "Path to .passwd-sso-env.json")
+    .option("--format <format>", "Output format: shell, dotenv, json", "shell")
+    .action((opts) => envCommand({ config: opts.config, format: opts.format }));
+program
+    .command("run")
+    .description("Inject vault secrets into a command's environment")
+    .option("-c, --config <path>", "Path to .passwd-sso-env.json")
+    .argument("<command...>", "Command to execute")
+    .action((command, opts) => runCommand({ config: opts.config, command }));
+const apiKeyCmd = program
+    .command("api-key")
+    .description("Manage API keys");
+apiKeyCmd
+    .command("list")
+    .description("List all API keys")
+    .option("--json", "Output as JSON")
+    .action((opts) => apiKeyListCommand({ json: opts.json }));
+apiKeyCmd
+    .command("create")
+    .description("Create a new API key")
+    .requiredOption("-n, --name <name>", "Key name")
+    .option("-s, --scopes <scopes>", "Comma-separated scopes", "passwords:read")
+    .option("-d, --days <days>", "Expiry in days", "90")
+    .option("--json", "Output as JSON")
+    .action((opts) => apiKeyCreateCommand({
+    name: opts.name,
+    scopes: opts.scopes.split(","),
+    days: parseInt(opts.days, 10),
+    json: opts.json,
+}));
+apiKeyCmd
+    .command("revoke")
+    .description("Revoke an API key")
+    .argument("<id>", "API key ID")
+    .option("--json", "Output as JSON")
+    .action((id, opts) => apiKeyRevokeCommand(id, { json: opts.json }));
+program
+    .command("agent")
+    .description("Start SSH agent or decrypt agent backed by vault")
+    .option("--eval", "Output shell eval-compatible commands")
+    .option("--decrypt", "Start decrypt agent mode (Unix socket)")
+    .action((opts) => agentCommand({ eval: opts.eval, decrypt: opts.decrypt }));
+program
+    .command("decrypt <id>")
+    .description("Decrypt a credential field via agent socket (for hooks)")
+    .requiredOption("--mcp-client <clientId>", "MCP client ID (mcpc_xxx) for authorization")
+    .option("--field <field>", "Field to decrypt (default: password, ignored with --json)")
+    .option("--json", "Output all decrypted fields as JSON (ignores --field)")
+    .action((id, opts) => decryptCommand(id, { field: opts.field, mcpClient: opts.mcpClient, json: opts.json }));
+program.parse();
+// ─── Interactive REPL Mode ──────────────────────────────────────
+async function interactiveMode() {
+    output.info("Vault unlocked. Type a command or `help` for options. `lock` to exit.");
+    // Keep token alive during REPL session
+    startBackgroundRefresh();
+    const rl = createInterface({
+        input: process.stdin,
+        output: process.stdout,
+        prompt: "passwd-sso> ",
+    });
+    rl.prompt();
+    for await (const line of rl) {
+        const args = line.trim().split(/\s+/);
+        const cmd = args[0];
+        if (!cmd) {
+            rl.prompt();
+            continue;
+        }
+        try {
+            switch (cmd) {
+                case "list":
+                case "ls":
+                    await listCommand({ json: args.includes("--json") });
+                    break;
+                case "get":
+                    if (!args[1]) {
+                        output.error("Usage: get <id> [--copy] [--json] [--field <name>]");
+                    }
+                    else {
+                        const fieldIdx = args.indexOf("--field");
+                        const fieldArg = fieldIdx !== -1 ? args[fieldIdx + 1] : undefined;
+                        const field = fieldArg && !fieldArg.startsWith("-") ? fieldArg : undefined;
+                        if (fieldIdx !== -1 && !field) {
+                            output.error("Usage: get <id> --field <name>");
+                            break;
+                        }
+                        await getCommand(args[1], {
+                            copy: args.includes("--copy") || args.includes("-c"),
+                            json: args.includes("--json"),
+                            field,
+                        });
+                    }
+                    break;
+                case "totp":
+                    if (!args[1]) {
+                        output.error("Usage: totp <id> [--copy] [--json]");
+                    }
+                    else {
+                        await totpCommand(args[1], {
+                            copy: args.includes("--copy") || args.includes("-c"),
+                            json: args.includes("--json"),
+                        });
+                    }
+                    break;
+                case "generate":
+                case "gen": {
+                    const lengthIdx = args.indexOf("-l");
+                    const lengthIdx2 = args.indexOf("--length");
+                    const idx = lengthIdx !== -1 ? lengthIdx : lengthIdx2;
+                    const rawLength = idx !== -1 ? args[idx + 1] : undefined;
+                    const parsedLength = rawLength && !rawLength.startsWith("-") ? parseInt(rawLength, 10) : NaN;
+                    if (idx !== -1 && (isNaN(parsedLength) || parsedLength <= 0)) {
+                        output.error("Usage: generate [-l <number>] [--copy]");
+                        break;
+                    }
+                    await generateCommand({
+                        length: isNaN(parsedLength) ? 20 : parsedLength,
+                        copy: args.includes("--copy") || args.includes("-c"),
+                        json: args.includes("--json"),
+                    });
+                    break;
+                }
+                case "export": {
+                    const fmtIdx = args.indexOf("--format");
+                    const outLong = args.indexOf("--output");
+                    const outShort = args.indexOf("-o");
+                    const outIdx = outLong !== -1 ? outLong : outShort;
+                    await exportCommand({
+                        format: fmtIdx !== -1 ? args[fmtIdx + 1] : "json",
+                        output: outIdx !== -1 ? args[outIdx + 1] : undefined,
+                    });
+                    break;
+                }
+                case "env": {
+                    const envFmtIdx = args.indexOf("--format");
+                    const envConfIdx = args.indexOf("-c");
+                    const envConfIdx2 = args.indexOf("--config");
+                    const envCIdx = envConfIdx !== -1 ? envConfIdx : envConfIdx2;
+                    await envCommand({
+                        config: envCIdx !== -1 ? args[envCIdx + 1] : undefined,
+                        format: envFmtIdx !== -1 ? args[envFmtIdx + 1] : "shell",
+                    });
+                    break;
+                }
+                case "decrypt": {
+                    if (!args[1]) {
+                        output.error("Usage: decrypt <id> --mcp-client <mcpc_xxx> [--field <field>]");
+                    }
+                    else {
+                        const tokenIdx = args.indexOf("--mcp-client");
+                        const mcpClient = tokenIdx !== -1 ? args[tokenIdx + 1] : undefined;
+                        if (!mcpClient || mcpClient.startsWith("-")) {
+                            output.error("Usage: decrypt <id> --mcp-client <mcpc_xxx> [--field <field>]");
+                            break;
+                        }
+                        const fieldIdx = args.indexOf("--field");
+                        const fieldArg = fieldIdx !== -1 ? args[fieldIdx + 1] : undefined;
+                        const field = fieldArg && !fieldArg.startsWith("-") ? fieldArg : undefined;
+                        const json = args.includes("--json");
+                        await decryptCommand(args[1], { field, mcpClient, json });
+                    }
+                    break;
+                }
+                case "api-key": {
+                    const sub = args[1];
+                    if (sub === "list") {
+                        await apiKeyListCommand({ json: args.includes("--json") });
+                    }
+                    else {
+                        output.error("Usage: api-key list [--json]");
+                    }
+                    break;
+                }
+                case "status":
+                    await statusCommand({ json: args.includes("--json") });
+                    break;
+                case "lock":
+                case "exit":
+                case "quit":
+                    stopBackgroundRefresh();
+                    lockVault();
+                    clearTokenCache();
+                    clearPendingClipboard();
+                    output.success("Vault locked.");
+                    rl.close();
+                    return;
+                case "help":
+                case "?":
+                    console.log(`
+Commands:
+  list [--json]                                 List all entries
+  get <id> [--copy] [--json]                    Show entry details
+  get <id> --field password --copy              Copy a specific field
+  totp <id> [--copy] [--json]                   Generate TOTP code
+  generate [-l N] [--copy] [--json]             Generate password
+  export [--format json|csv] [-o file]          Export vault
+  env [--format shell|dotenv|json]              Output vault secrets as env vars
+  decrypt <id> --mcp-client <mcpc_xxx> [--field]  Decrypt via agent socket
+  api-key list [--json]                         List API keys
+  status [--json]                               Show connection status
+  lock                                          Lock vault and exit
+          `.trim());
+                    break;
+                default:
+                    output.error(`Unknown command: ${cmd}. Type 'help' for options.`);
+            }
+        }
+        catch (err) {
+            output.error(err instanceof Error ? err.message : "An error occurred");
+        }
+        rl.prompt();
+    }
+    // EOF (Ctrl+D) — cleanup
+    stopBackgroundRefresh();
+    lockVault();
+    clearTokenCache();
+    clearPendingClipboard();
+    output.success("Vault locked.");
+}
+//# sourceMappingURL=index.js.map

package/dist/lib/api-client.d.ts

@@ -0,0 +1,22 @@
+/**
+ * API client for the CLI tool.
+ *
+ * Uses native Node.js fetch with Bearer token authentication.
+ * Automatically refreshes expired tokens.
+ */
+export declare function setInsecure(enabled: boolean): void;
+export declare function getToken(): Promise<string | null>;
+export declare function setTokenCache(token: string, expiresAt?: string): void;
+export declare function clearTokenCache(): void;
+export interface ApiResponse<T = unknown> {
+    ok: boolean;
+    status: number;
+    data: T;
+}
+export declare function apiRequest<T = unknown>(path: string, options?: {
+    method?: string;
+    body?: unknown;
+    headers?: Record<string, string>;
+}): Promise<ApiResponse<T>>;
+export declare function startBackgroundRefresh(): void;
+export declare function stopBackgroundRefresh(): void;

package/dist/lib/api-client.js

@@ -0,0 +1,145 @@
+/**
+ * API client for the CLI tool.
+ *
+ * Uses native Node.js fetch with Bearer token authentication.
+ * Automatically refreshes expired tokens.
+ */
+import { loadToken, saveToken, loadConfig, saveConfig } from "./config.js";
+let cachedToken = null;
+let cachedExpiresAt = null;
+export function setInsecure(enabled) {
+    if (enabled) {
+        process.stderr.write("WARNING: TLS certificate verification is disabled. Your credentials may be intercepted.\n");
+        process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+    }
+}
+export async function getToken() {
+    if (cachedToken)
+        return cachedToken;
+    cachedToken = await loadToken();
+    return cachedToken;
+}
+export function setTokenCache(token, expiresAt) {
+    cachedToken = token;
+    if (expiresAt) {
+        cachedExpiresAt = new Date(expiresAt).getTime();
+    }
+}
+export function clearTokenCache() {
+    cachedToken = null;
+    cachedExpiresAt = null;
+}
+function getBaseUrl() {
+    const config = loadConfig();
+    if (!config.serverUrl) {
+        throw new Error("Server URL not configured. Run `passwd-sso login` first.");
+    }
+    return config.serverUrl.replace(/\/$/, "");
+}
+/** Refresh buffer: refresh 2 minutes before expiry */
+const REFRESH_BUFFER_MS = 2 * 60 * 1000;
+function isTokenExpiringSoon() {
+    if (!cachedExpiresAt) {
+        // Load from config if not cached
+        const config = loadConfig();
+        if (config.tokenExpiresAt) {
+            cachedExpiresAt = new Date(config.tokenExpiresAt).getTime();
+        }
+    }
+    if (!cachedExpiresAt)
+        return false;
+    return Date.now() >= cachedExpiresAt - REFRESH_BUFFER_MS;
+}
+async function refreshToken() {
+    const token = await getToken();
+    if (!token)
+        return false;
+    const baseUrl = getBaseUrl();
+    try {
+        const res = await fetch(`${baseUrl}/api/extension/token/refresh`, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${token}`,
+                "Content-Type": "application/json",
+            },
+        });
+        if (!res.ok)
+            return false;
+        const data = (await res.json());
+        if (typeof data.token !== "string" || !data.token)
+            return false;
+        if (typeof data.expiresAt !== "string" || isNaN(new Date(data.expiresAt).getTime()))
+            return false;
+        await saveToken(data.token);
+        setTokenCache(data.token, data.expiresAt);
+        // Persist expiresAt in config
+        const config = loadConfig();
+        config.tokenExpiresAt = data.expiresAt;
+        saveConfig(config);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export async function apiRequest(path, options = {}) {
+    let token = await getToken();
+    if (!token) {
+        throw new Error("Not logged in. Run `passwd-sso login` first.");
+    }
+    // Proactively refresh if token is expiring soon
+    if (isTokenExpiringSoon()) {
+        const refreshed = await refreshToken();
+        if (refreshed) {
+            token = await getToken();
+        }
+    }
+    const baseUrl = getBaseUrl();
+    const url = `${baseUrl}${path}`;
+    const { method = "GET", body, headers = {} } = options;
+    const fetchOpts = {
+        method,
+        headers: {
+            Authorization: `Bearer ${token}`,
+            ...(body !== undefined ? { "Content-Type": "application/json" } : {}),
+            ...headers,
+        },
+    };
+    if (body !== undefined) {
+        fetchOpts.body = JSON.stringify(body);
+    }
+    let res = await fetch(url, fetchOpts);
+    // Auto-refresh on 401
+    if (res.status === 401) {
+        const refreshed = await refreshToken();
+        if (refreshed) {
+            const newToken = await getToken();
+            fetchOpts.headers = {
+                ...fetchOpts.headers,
+                Authorization: `Bearer ${newToken}`,
+            };
+            res = await fetch(url, fetchOpts);
+        }
+    }
+    const data = (await res.json().catch(() => ({})));
+    return { ok: res.ok, status: res.status, data };
+}
+// ─── Background Token Refresh Timer ─────────────────────────
+/** Interval: refresh every 10 minutes (well within 15-min TTL) */
+const BG_REFRESH_INTERVAL_MS = 10 * 60 * 1000;
+let bgRefreshTimer = null;
+export function startBackgroundRefresh() {
+    stopBackgroundRefresh();
+    bgRefreshTimer = setInterval(() => {
+        void refreshToken();
+    }, BG_REFRESH_INTERVAL_MS);
+    // Don't keep the process alive just for the timer
+    bgRefreshTimer.unref();
+}
+export function stopBackgroundRefresh() {
+    if (bgRefreshTimer) {
+        clearInterval(bgRefreshTimer);
+        bgRefreshTimer = null;
+    }
+}
+//# sourceMappingURL=api-client.js.map

package/dist/lib/blocked-keys.d.ts

@@ -0,0 +1,2 @@
+/** Env vars that must never be overwritten (case-insensitive). */
+export declare const BLOCKED_KEYS: Set<string>;

package/dist/lib/blocked-keys.js

@@ -0,0 +1,23 @@
+/** Env vars that must never be overwritten (case-insensitive). */
+export const BLOCKED_KEYS = new Set([
+    "PATH",
+    "LD_PRELOAD",
+    "LD_LIBRARY_PATH",
+    "DYLD_INSERT_LIBRARIES",
+    "DYLD_FRAMEWORK_PATH",
+    "NODE_OPTIONS",
+    "NODE_PATH",
+    "PYTHONPATH",
+    "PYTHONSTARTUP",
+    "PYTHONUSERBASE",
+    "RUBYLIB",
+    "RUBYOPT",
+    "PERL5LIB",
+    "PERL5OPT",
+    "JAVA_TOOL_OPTIONS",
+    "_JAVA_OPTIONS",
+    "CLASSPATH",
+    "BASH_ENV",
+    "ENV",
+]);
+//# sourceMappingURL=blocked-keys.js.map

package/dist/lib/clipboard.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Clipboard utilities with auto-clear after 30 seconds.
+ *
+ * Uses clipboardy for cross-platform support.
+ * Compares clipboard hash before clearing to avoid overwriting user's copy.
+ */
+export declare function copyToClipboard(content: string): Promise<void>;
+export declare function clearPendingClipboard(): void;

package/dist/lib/clipboard.js

@@ -0,0 +1,79 @@
+/**
+ * Clipboard utilities with auto-clear after 30 seconds.
+ *
+ * Uses clipboardy for cross-platform support.
+ * Compares clipboard hash before clearing to avoid overwriting user's copy.
+ */
+import { createHash } from "node:crypto";
+import { execSync } from "node:child_process";
+const CLEAR_TIMEOUT_MS = 30_000;
+let clearTimer = null;
+let copiedHash = null;
+function hashContent(content) {
+    return createHash("sha256").update(content).digest("hex");
+}
+async function getClipboardy() {
+    return import("clipboardy");
+}
+export async function copyToClipboard(content) {
+    const { default: clipboardy } = await getClipboardy();
+    await clipboardy.write(content);
+    copiedHash = hashContent(content);
+    // Cancel previous timer
+    if (clearTimer) {
+        clearTimeout(clearTimer);
+        clearTimer = null;
+    }
+    // Schedule auto-clear
+    const timer = setTimeout(async () => {
+        try {
+            const current = await clipboardy.read();
+            if (copiedHash && hashContent(current) === copiedHash) {
+                await clipboardy.write("");
+            }
+        }
+        catch {
+            // ignore clipboard read errors
+        }
+        copiedHash = null;
+        clearTimer = null;
+    }, CLEAR_TIMEOUT_MS);
+    timer.unref();
+    clearTimer = timer;
+}
+export function clearPendingClipboard() {
+    if (clearTimer) {
+        clearTimeout(clearTimer);
+        clearTimer = null;
+    }
+    copiedHash = null;
+}
+// Signal handlers to clear clipboard on exit
+function onExit() {
+    if (copiedHash) {
+        // Best-effort synchronous clipboard clear — cannot await in exit handler.
+        // Use platform-specific commands to actually clear the clipboard content.
+        try {
+            if (process.platform === "darwin") {
+                execSync("pbcopy < /dev/null", { stdio: "ignore", timeout: 1000 });
+            }
+            else if (process.platform === "linux") {
+                execSync("xclip -selection clipboard < /dev/null 2>/dev/null || xsel --clipboard --delete 2>/dev/null", { stdio: "ignore", timeout: 1000, shell: "/bin/sh" });
+            }
+        }
+        catch {
+            // Ignore — best effort only
+        }
+        clearPendingClipboard();
+    }
+}
+process.on("SIGINT", () => {
+    onExit();
+    process.exit(130);
+});
+process.on("SIGTERM", () => {
+    onExit();
+    process.exit(143);
+});
+process.on("exit", onExit);
+//# sourceMappingURL=clipboard.js.map

package/dist/lib/config.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Configuration management for the CLI tool.
+ *
+ * Config file: $XDG_CONFIG_HOME/passwd-sso/config.json
+ * Credentials: OS keychain (via keytar) or $XDG_DATA_HOME/passwd-sso/credentials
+ *
+ * Legacy ~/.passwd-sso/ is auto-migrated on first access.
+ */
+export interface CliConfig {
+    serverUrl: string;
+    locale: string;
+    tokenExpiresAt?: string;
+}
+export declare function loadConfig(): CliConfig;
+export declare function saveConfig(config: CliConfig): void;
+export declare function saveToken(token: string): Promise<"keychain" | "file">;
+export declare function loadToken(): Promise<string | null>;
+export declare function deleteToken(): Promise<void>;